#
server {
{% for value in ngx_header %}
  add_header {{ value }}
{% endfor %}
{% if ngx_allow_methods is defined %}
  add_header Access-Control-Allow-Methods '{{ ", ".join(vars["ngx_allow_methods"]) }}';
{% endif %}
{% if ngx_HPKP is defined %}
  add_header Public-Key-Pins 'pin-sha256="{{ "\"; pin-sha256=\"".join(vars["ngx_HPKP"]) }}"; max-age=63072000; includeSubDomains';
{% endif %}
{% if ngx_dhparam | bool %}
  ssl_dhparam ssl/{{ ngx_dhparam_file }};
{% endif %}
  ssl_certificate ssl/{{ item.domain }}.crt;
  ssl_certificate_key ssl/{{ item.domain }}.key;
  ssl_session_cache shared:SSL:50m;
  ssl_session_ticket_key ssl/session_ticket.key;
  ssl_session_tickets off;
  ssl_session_timeout 60m;
  ssl_trusted_certificate ssl/ca-cert.pem;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_prefer_server_ciphers on;
  ssl_protocols {{ vars["ngx_ssl_protocols_" + ngx_ssl_protocols].protocols }};
  ssl_ciphers {{ vars["ngx_ssl_protocols_" + ngx_ssl_protocols].ciphers }};
  listen {{ ansible_default_ipv4.address }}:{{ ngx_port_https }} ssl http2;
{% if ngx_resolver_dns is defined %}
  resolver {{ " ".join(vars["ngx_resolver_dns"]) }} valid=300s;
  resolver_timeout {{ ngx_resolver_timeout | default('5s') }};
{% endif %}
  server_name {{ item.domain }};

  charset {{ ngx_arg.charset }};
  root {{ ngx_site_path }}/{{ item.domain }};
  index index.html index.php;

  access_log {{ ngx_logs_path }}/access.log main if=$loggable;
  error_log {{ ngx_logs_path }}/error.log notice;
{% if ngx_syslog | bool %}
  access_log syslog:server={{ ngx_syslog_server | list | random(seed=inventory_hostname) }}:{{ ngx_acc_syslog_port }} syslog if=$loggable;
  error_log syslog:server={{ ngx_syslog_server | list | random(seed=inventory_hostname) }}:{{ ngx_err_syslog_port }};
{% endif %}
  
  location = /favicon.ico { access_log off; log_not_found off; }
  location = /robots.txt { access_log off; log_not_found off; }
{% if ngx_pagespeed | bool %}
  location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" { add_header "" ""; }
  location /ngx_pagespeed_admin { allow {{ "; allow ".join(vars["ngx_set_real_ip_from"]) }}; access_log off; deny all; }
{% endif %}

  include {{ ngx_conf_path }}/security.conf;
{% if item.syntax is defined %}
{% for value in item.syntax %}
  {{ value }}
{% endfor %}
{% endif %}
}

{% if item.backend_address is defined %}
upstream backend_{{ item.domain }} {
{% if item.sticky is defined %}
  {{ item.sticky }};
{% endif %}
{% if item.keepalive is defined %}
  keepalive {{ item.keepalive | default('16')}};
{% endif %}
{% for value in item.backend_address %}
  server {{ value }}:{{ item.backend_port }} max_fails=3 fail_timeout=20s;
{% endfor %}
}
{% endif %}
